RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise

Presented at Black Hat USA 2022, Aug. 10, 2022, 3:20 p.m. (40 minutes).

In the past 5 years, we've demonstrated countless supply chain attacks in production CI/CD pipelines for virtually every company we've tested, with several dozen successful compromises of targets ranging from small businesses to Fortune 500 companies across almost every market and industry.

In this presentation, we'll explain why CI/CD pipelines are the most dangerous potential attack surface of your software supply chain. To do this, we'll discuss the sorts of technologies we frequently encounter, how they're used, and why they are the most highly privileged and valuable targets in your company's entire infrastructure. We'll then discuss specific examples (with demos!) of novel abuses of intended functionality in automated pipelines which allow us to turn the build pipelines from a simple developer utility into Remote Code Execution-as-a-Service.

Is code-signing leading your team into a false sense of security while you programmatically build someone else's malware? Is it true that "any sufficiently advanced attacker is indistinguishable from one of your developers"? Have we critically compromised nearly every CI/CD pipeline we've ever touched? The answer to all of these questions is yes.

Fortunately, this presentation will not only teach you exactly how we did it and the common weaknesses we see in these environments, but also share key defensive takeaways that you can immediately apply to your own development environments.


Presenters:

  • Iain Smart - Containerisation & Orchestration Practice Lead, NCC Group
    Iain Smart is the Containerisation and Orchestration Practice Lead at NCC Group, where he has reviewed cloud-native deployments for dozens of customers. He enjoys playing with new technologies, and if he's not hacking a Kubernetes cluster or attacking a build pipeline he can probably be found writing new home automations to annoy his family.
  • Viktor Gazdag - Senior Security Consultant, NCC Group
    Viktor Gazdag has worked as pentester and security consultant for 7 years and currently leads NCC Group's research working group on cloud security. He has reported numerous vulnerabilities in products from companies such as Oracle, SAP, Atlassian, Jenkins, CloudBees Jenkins, JetBrains, Sonatype, as well as hundreds of plugin vulnerabilities in Jenkins Plugins. In 2019, he received the Jenkins Security MVP award and gave a talk about the research behind finding more than a 100 Jenkins Plugin vulnerabilities at DevOps World.

Links:

Similar Presentations: